Privacy - CompTIA Security+ SY0-701 - 5.4

00:01

Our organizations collect a massive amount of data.

00:04

And there are privacy laws that probably

00:07

apply to a great deal of this information.

00:10

In this video, we'll discuss some of these privacy concerns

00:13

and how organizations are mandated to protect your data.

00:16

In many geographies, privacy starts

00:19

at the local and state level.

00:21

There's a great deal of data that's

00:23

collected by our local governments,

00:25

especially information about our homes, our vehicles,

00:28

and information about medical licensing.

00:30

At the national level, we have laws

00:32

that protect the privacy of everyone in the country.

00:36

For example, the HIPAA laws regarding health care

00:39

are a very good example of regulations that

00:41

affect everyone in one country.

00:44

And many countries are working together

00:46

to ensure privacy for all of their citizens

00:49

regardless of where they live.

00:51

A good example of a privacy law that affects multiple countries

00:55

would be the GDPR.

00:57

This stands for the General Data Protection Regulation.

01:00

This is a regulation in the European Union

01:03

that affects privacy for everyone who lives in the EU.

01:06

Some of the information that is protected by individuals living

01:10

in these countries would be name, address, photo,

01:14

email details, bank information, online social media posts,

01:18

and much more.

01:19

The GDPR puts the control of this data

01:22

back into the user's hands.

01:24

And they decide what happens with their personal data.

01:27

If someone feels that their private information needs

01:30

to be removed from a website, they

01:32

can simply request that removal, and the website

01:34

is required to remove all of their private data.

01:38

Putting this back in the hands of the data subject

01:41

gives them the right to control where their information is.

01:45

We often refer to this as a right to be forgotten.

01:49

The GDPR defines a data subject as any information

01:53

relating to an identified or identifiable natural person.

01:58

This would effectively be anyone who lives

02:00

in those particular countries.

02:02

So anyone who's interested in protecting their private data,

02:05

such as their name, their address, their genetic makeup,

02:09

their location data, or anything else

02:11

would be considered a data subject.

02:14

Effectively, all of us are data subjects.

02:17

The GDPR and many other privacy laws

02:20

define the perspective of data privacy

02:23

from the data subject's perspective.

02:26

This is an important consideration

02:28

since many privacy laws up to this point

02:30

put the requirement for privacy on a third party or company

02:34

instead of the individual.

02:37

We've spoken in an earlier video about the responsibilities

02:40

associated with data in an organization.

02:42

But it's worthwhile to bring this up again

02:44

in the context of privacy.

02:46

We'll start with the concept of a data owner.

02:49

This would be an individual who has overall responsibility

02:53

of the data.

02:54

For example, if you're the vice president of sales,

02:56

you are the data owner for any customer relationship data.

03:00

And if you are the treasurer of the company,

03:02

you would be the data owner for all

03:04

of the financial information associated

03:06

with that organization.

03:08

Many organizations also have data controllers and data

03:12

processors.

03:13

The data controller is responsible for managing

03:16

how this data is used.

03:18

And the data processor is the person

03:20

who's actually using the data.

03:22

The data processor may be internal

03:24

within your organization, or you may be using a third party

03:27

to process that data.

03:29

For example, we can look at data and how

03:31

it's used between a payroll department and a payroll

03:34

company.

03:35

The payroll department would be the data controller.

03:38

They're the ones that define how much people get paid

03:40

and when they get paid.

03:42

They would then hand that information off

03:44

to a third party payroll company that

03:46

actually processes everyone's paychecks every week.

03:49

This relationship means that there's

03:51

a great deal of private and personal data

03:54

that's being transferred between the data controller

03:56

and the data processor.

03:57

And in the case of a third party vendor,

04:00

a company might use a non-disclosure agreement

04:02

to ensure that all of that information remains private.

04:06

If a company makes physical products,

04:08

they tend to have an inventory of those products.

04:11

The same thing applies to data.

04:13

A company that stores data has effectively a data inventory.

04:17

This data inventory is a listing of all of the data

04:20

that this company collects and stores in their organization.

04:24

This would include the owner of the data,

04:26

how often the information is updated,

04:28

and the format of that data.

04:30

To properly understand the privacy implications

04:33

of this data inventory, we need to understand

04:36

how the data is used.

04:37

Internally, we might use this data

04:39

for collaboration between different projects.

04:42

IT security may use this data.

04:44

And we may perform data quality checks on all of the data

04:47

that we store.

04:48

When sharing data with a third party that's

04:51

not part of our organization, we need

04:53

to be sure that we're following all legal guidelines

04:56

for privacy.

04:57

So we would need to understand what our data inventory is,

05:00

understand what type of data that might be,

05:03

and then make sure that if we're sharing that information,

05:06

it all falls within the realm of existing laws and regulations.